HackTool - PCHunter Execution

About the rule

Rule Type

Standard

Rule Description

Detects suspicious activity involving PCHunter, a tool similar to Process Hacker, used to view and manipulate processes, kernel settings, and other low-level system components.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → PCHunter execution → System exploration → Defense evasion → Persistence or Lateral movement

Impact

• Kernel-level tampering
• Security evasion risk
• Process manipulation threat
• System integrity compromise

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the “Include command line in process creation events” setting under Audit Process Creation. Additionally, create the "Microsoft-Windows-Security-Auditing/Operational" registry key in the specified EventLog path to support enhanced auditing.

• Using Sysmon:

To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the "Microsoft-Windows-Sysmon/Operational" registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Discovery: System Service Discovery (T1007)
• Discovery: System Information Discovery (T1082)
• Discovery: Query Registry (T1012)
• Discovery: File and Directory Discovery (T1083)
• Discovery: Process Discovery (T1057)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

Detect (DE) function, particularly under the Security Continuous Monitoring (DE.CM) category.

• • DE.CM-1 calls for continuous monitoring of networks to detect potential cybersecurity events.
  • DE.CM-7 emphasizes monitoring for unauthorized software and devices, which includes hack tools like PCHunter.

It also supports the Respond (RS) function in the Analysis (RS.AN) category.

• • RS.AN-1 ensures that alerts from detection systems are promptly investigated.
  • RS.AN-4 requires categorization and prioritization of incidents based on organizational response plans.

Under NIST SP 800-53 (Rev. 5):

• SI-4 (System Monitoring): This control mandates active monitoring of systems for malicious activity, including the detection of unauthorized or suspicious tools.
• AU-6 (Audit Review, Analysis, and Reporting): The rule supports reviewing audit logs to detect and respond to threats such as the use of PCHunter.
• CM-3 (Configuration Change Control): Detecting unauthorized execution of low-level tools helps identify unapproved changes or system tampering.
• AC-6(10) (Least Privilege – Prohibit Privilege Elevation Tools): PCHunter can be used to bypass privilege restrictions, so detecting its use directly supports this control.
• SI-7 (Software, Firmware, and Information Integrity): The rule supports integrity by identifying attempts to manipulate kernel-level components using unauthorized utilities.

Author

Florian Roth (Nextron Systems), Nasreddine Bencherchali

Future actions

Known False Positives

This rule might be triggered when system administrators or security analysts intentionally use PCHunter for legitimate debugging or forensic analysis. It may also trigger in controlled lab environments or during authorized penetration testing activities.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected system from the network to prevent further misuse or escalation.
5. Eradication: Remove the PCHunter tool and any associated unauthorized changes or persistence mechanisms.